Has anyone had to retrieve data from a FAS setup?
From what I can gather FAS (Fabric Attached Storage) is for all intents and purposes the same as NAS but with more connection and configuration options.
I found the below quote on F-response website so appears there may be hope. The FAS in question is running "OnTap" to provide access, beyond that I don't know too much about it yet.
The NAS had an on board CentOS installation, and access to the RAID is via Linux Logical Volume Manager (LVM).
I was able to map a loopback device to the logical volume presented by LVM and using F-Response Tactical, access the loopback device from across the network. Very happy with that."
Edit please disregard, in this instance I will be able to extract the files I need with Xways directly into an evidence container. Testing on my local network showed no change of date/time stamps or any data corruption. I think I was over complicating the matter in my own head by taking the approach I would if I was trying to acquire a 'whole disc image'
Just for info, It would seem that you are talking about a NetApp filer.
They are basically NAS arrays. They run a proprietary raid called raid-dp, which is based in raid 6, and the file system is called WAFL.
Raid group size defaults to 16 disks, but can be any number (over 4), and then volumes are written across aggregates of raid groups.
They also have various built in technologies such a deduplication, snapshots, thin provisioning. They also support self encrypting disks and disk scrubbing.
Each filer (there are normaly 2) runs a root volume that houses the OS (OnTap).
My guess would be that traditional disk imaging would be out of the window with one of these!
You are right, traditional disc imaging is becoming increasingly difficult and in some cases just not possible with the new types of corporate networks.
A short time back it was just the virtual networks which spanned multiple physical machines that were causing headaches, now this kind of stuff…..the mind boggles )
I can see tools like F-Response becoming more and more critical as a way to access these type of networks. Hopefully they keep pace with the changes.